The full anatomy of a phishing site,
one URL at a time.
ZeroPhish renders the page, runs twelve detection signals against the DOM, certificate chain, brand fingerprint and threat feeds, and returns a typed verdict. Built for security teams and product engineers.
Suspicious — review required
| URL | hxxps://newconnect-ldgr-live[.]framer[.]media/en-us | |
| Host | newconnect-ldgr-live[.]framer[.]media | |
| Registered domain | framer[.]media | |
| Brand | Ledger | |
| Screenshot | https://cdn.zerophish.ai/25c62787-513a-4b73-97dd-8cb2a9825ac5.jpg | |
| Scan ID | 49f32512-8102-4334-8e93-2ea36548a1e3 |
| Host | newconnect-ldgr-live.framer.media |
| Registered domain | framer.media |
| Scheme | https |
| Content length | 115345 B |
| HTTP | 200 · text/html |
| JARM | 7939b39b37937930320320320320128c19258acd09ccdea8faad630541ff7e |
| Redirect hops | 1 |
The page claims to be an “Official Ledger Live” login guide, but it does not present an actual login/credential form in the provided HTML—it’s primarily informational text about using the Ledger Live app. The main suspicious signal is the hosting domain: newconnect-ldgr-live.framer.media, which is not a Ledger-registered domain, and the presence of a generic Framer footer. While the content is consistent with Ledger best practices (e.g., “never share your recovery phrase”), the mismatch between branding and domain ownership prevents a definitive legitimacy judgment.
No urgency, account-compromise warnings, or password/seed harvesting form is visible. Because evidence is limited to a short simplified HTML without assets (e.g., favicon) or redirects, confidence is conservatively set to low.
Brand-impersonation page hosted on Framer’s free platform (newconnect-ldgr-live.framer.media) using Ledger branding and “Ledger Live Login” keyword targeting. No credential form detected — page is purely informational with a link to the official ledger.com. No credential harvesting possible on this page alone, but the domain impersonation and SEO bait pattern are suspicious.